Evolution-X-Tensor/device_google_gs101
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
3273 commits 1 branch 0 tags 494 MiB
Commit graph

1256 commits

Author SHA1 Message Date
Rick Chen
78047fa17b sensors: Add sensor related rule to chre. 
[    8.417813] type=1400 audit(1615518074.988:4): avc: denied { write } for comm="sensors@2.0-ser" name="chre" dev="tmpfs" ino=908 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1
[    8.418075] type=1400 audit(1615518074.988:5): avc: denied { connectto } for comm="sensors@2.0-ser" path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1
03-12 11:01:14.988   694   694 I sensors@2.0-ser: type=1400 audit(0.0:5): avc: denied { connectto } for path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1

Also merge two sensor_hal related files into single file.

Bug: 182523946
Test: make selinux_policy -j128 and push to device.
      No hal_sensors_default related avc deined log during boot.
Signed-off-by: Rick Chen <rickctchen@google.com>
Change-Id: I49ce71ba4703528fb2e26dd8956c4ed741337ffc
 2021-03-17 10:34:14 +08:00
Adam Shih
7c0fd2a413 update error on ROM 7213588 
Bug: 182954169
Bug: 182954060
Bug: 182954138
Bug: 182954062
Bug: 182953824
Bug: 182953825
Bug: 182954248
Test: pts-tradefed run pts -m PtsSELinuxTest
Change-Id: I8417d4ebacefa691838e25131749b0e4fd152a2f
 2021-03-17 10:15:02 +08:00
Benjamin Schwartz
fe980b935b Merge "Give power stats HAL permission to read ufs stats" into sc-dev 2021-03-17 02:09:54 +00:00
TreeHugger Robot
23017e956d Merge "allow df to collect partition info" into sc-dev 2021-03-17 01:52:43 +00:00
Benjamin Schwartz
ed8fdc9997 Fix sepolicies for hal_power_stats_default 
Bug: 182320246
Test: No more avc denied log messages for hal_power_stats_default
Change-Id: I1cd801bb4823e80bd5ea112fb0b7bdfaeabbdef5
 2021-03-16 10:37:09 -07:00
TreeHugger Robot
96d0c28dc4 Merge "display: add sepolicy for hal_graphics_composer" into sc-dev 2021-03-16 12:05:50 +00:00
Hsiaoan Hsu
46fedc2148 Add Sepolicy rule for connectivity monitor app 
sync sepolicy from previous projects.

Bug: 182715920
Test: build pass. connetivity monitor service running successfully.
Change-Id: Id5606b5db74fbf672ac41549862a83557734ac57
 2021-03-16 15:48:53 +08:00
raylinhsu
031fe80418 display: add sepolicy for hal_graphics_composer 
Allow HWC to access vendor_log_file and also allow hwc to access
power hal

Bug: 181712799
Test: pts -m PtsSELinuxTest -t
com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot

Change-Id: I403a528f651b9ee5755d11525f2a33c39628ecee
 2021-03-16 13:50:48 +08:00
SalmaxChang
b70e0bebdd MDS: Fix avc errors 
avc: denied { search } for name="vendor" dev="tmpfs" ino=2 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 app=com.google.mds
avc: denied { search } for name="vendor" dev="tmpfs" ino=2 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 app=com.google.mds
avc: denied { search } for comm=4173796E635461736B202332 name="radio" dev="dm-9" ino=242 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.google.mds
avc: denied { call } for comm=4173796E635461736B202331 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:dmd:s0 tclass=binder permissive=1 app=com.google.mds
avc: denied { write } for name="property_service" dev="tmpfs" ino=316 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 app=com.google.mds
avc: denied { read } for name="u:object_r:vendor_modem_prop:s0" dev="tmpfs" ino=289 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:vendor_modem_prop:s0 tclass=file permissive=1 app=com.google.mds
avc: denied { search } for comm=4173796E635461736B202331 name="chosen" dev="sysfs" ino=9330 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs_chosen:s0 tclass=dir permissive=1 app=com.google.mds

Bug: 181185131
Bug: 179110848

Change-Id: I1ac00b68e2db44cc86f6b5c70001cda78264ff6e
 2021-03-16 02:27:54 +00:00
Benjamin Schwartz
a1f92cdd90 Give power stats HAL permission to read ufs stats 
Bug: 140217385
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: Ib3fa9440982bc5846053e9ddf56d3ed178599c0c
 2021-03-15 17:37:29 -07:00
Adam Shih
0218941cb8 allow df to collect partition info 
Bug: 179310854
Test: do bugreport and the error disappear
Change-Id: I9fdcbb27742a70f3b796c668c3e0d4688d36b4d8
 2021-03-15 11:00:41 +08:00
Adam Shih
45e33146f1 Allow bluetooth hal to get boot status 
[    5.299448] type=1400 audit(1615772363.892:3): avc: denied { read } for comm="bluetooth@1.1-s" name="u:object_r:boot_status_prop:s0" dev="tmpfs" ino=81 scontext=u:r:hal_bluetooth_btlinux:s0 tcontext=u:object_r:boot_status_prop:s0 tclass=file permissive=1
Bug: 171942789
Test: boot and see such log no longer appear

Change-Id: Ib27585183be1ba9913b5f0620d987f26fad663e0
 2021-03-15 09:41:48 +08:00
Benjamin Schwartz
aa41c84ad1 Merge "whitechapel: Correct acpm_stats path" into sc-dev 2021-03-12 17:41:35 +00:00
TreeHugger Robot
3b10aeadae Merge "allow init to mount modem_img" into sc-dev 2021-03-12 06:01:50 +00:00
Wen Chang Liu
e72c30346f Merge changes Ie0ed96d7,Id7f43fe1 into sc-dev 
* changes:
  Add sepolicy for BigOcean device
  Add sepolicy for MFC device
 2021-03-12 05:41:08 +00:00
Adam Shih
fdeedcba65 allow init to mount modem_img 
Bug: 182524202
Bug: 182524203
Test: modem_img is mounted under enforcing mode
Change-Id: Ie5448468d4d7f1ad6acdd2c93055bba9001185d1
 2021-03-12 12:54:22 +08:00
Sung-fang Tsai
1bcf7d412a Merge "Mark lib_aion_buffer and related library as same_process_hal_file" into sc-dev 2021-03-12 04:18:59 +00:00
Vova Sharaienko
175c2eaa31 Merge "Stats: new sepolicy for the AIDL service" into sc-dev 2021-03-12 03:32:22 +00:00
wenchangliu
f98706e87b Add sepolicy for BigOcean device 
add /dev/bigocean to video_device

avc: denied { read write } for name="bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { open } for path="/dev/bigocean" dev="tmpfs" ino=629 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/bigocean" dev="tmpfs" ino=629 \
ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 tcontext=u:object_r:device:s0 \
tclass=chr_file permissive=1
avc: denied { ioctl } for comm=436F646563322E30204C6F6F706572 path="/dev/bigocean" \
dev="tmpfs" ino=629 ioctlcmd=0x4202 scontext=u:r:mediacodec:s0 \
tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Bug: 172173484
Test: Play AV1 clips in enforcing mode
Change-Id: Ie0ed96d7bf4324bd38a9c42500f4f747f092bfd9
 2021-03-12 10:54:10 +08:00
wenchangliu
b52121a259 Add sepolicy for MFC device 
- Add sysfs_video type for mfc device
- Allow mediacode to access sysfs_video

avc: denied { read } for name="name" dev="sysfs" ino=62278 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video7/name" \
dev="sysfs" ino=62278 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { read } for name="name" dev="sysfs" ino=62230 \
scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { open } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

avc: denied { getattr } for path="/sys/devices/platform/mfc/video4linux/video6/name" \
dev="sysfs" ino=62230 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 \
tclass=file permissive=1

Bug: 172173484
Test: video playback / camera recording with enforcing mode
Change-Id: Id7f43fe11c9ed089067f43a50d7f765df873d6c6
 2021-03-12 10:51:41 +08:00
Ahmed ElArabawy
4a0294348b Merge "Wifi: Add sepolicy files for wifi_ext service" into sc-dev 2021-03-12 01:37:36 +00:00
Vova Sharaienko
2ed30c23e3 Stats: new sepolicy for the AIDL service 
This allows the pixelstats_vendor communicate with new AIDL IStats service via ServiceManager

Bug: 181914749
Test: Build, flash, and logcat -s "pixelstats_vendor"
Change-Id: Icf1bbbd7f72835fe8f9c2f23281a2f5b4bf8e698
 2021-03-12 01:12:21 +00:00
Benjamin Schwartz
bfa18a7b2a whitechapel: Correct acpm_stats path 
Bug: 182320246
Test: dumpsys android.hardware.power.stats.IPowerStats/default
Change-Id: I7a67b31e28f34d606cfab369b9e982e9fffe3b3f
 2021-03-11 15:52:48 -08:00
Pat Tjin
854db479bb Merge "Move wireless charger HAL to 1.3" into sc-dev 2021-03-11 19:57:54 +00:00
Sung-fang Tsai
82376e2d49 Mark lib_aion_buffer and related library as same_process_hal_file 
To allow access by Google Camera App, which needs this for vendor-specific
buffer management functionality to enable zero-copy camera RAW->GPU buffer
handling.

Test: GCA works with forrest build P20546991.
Bug: 159839616
Change-Id: I71bdcd12f17013881d7a5da2f11e444f0d3b4f94
 2021-03-11 12:02:04 +00:00
Eddie Tashjian
78cd6eb78e Add selinux policies for mounted modem parition 
Bug: 178980032
Bug: 178979986
Bug: 179198083
Bug: 179198085
Bug: 178980065

Test: Check selinux denials
Change-Id: I7f826442d1536946d0e84aadfd80f679c0f4d6da
 2021-03-11 10:16:27 +00:00
TreeHugger Robot
ef6e91692a Merge changes I68aace66,Idf510e4a into sc-dev 
* changes:
  gs101-sepolicy: Add twoshay permissions
  Add touch procfs and sysfs sepolicy
 2021-03-11 09:16:51 +00:00
Lopy Cheng
5019452cbb HardwareInfo: Add sepolicy for display 
hardwareinfo: type=1400 audit(0.0:17): avc: denied { read } for name="serial_number" dev="sysfs" ino=68309 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo
hardwareinfo: type=1400 audit(0.0:18): avc: denied { open } for path="/sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number" dev="sysfs" ino=68309 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo
hardwareinfo: type=1400 audit(0.0:19): avc: denied { getattr } for path="/sys/devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number" dev="sysfs" ino=68309 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs_display:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo

Bug: 161943795
Test:
1. Remove hardwareinfo app
rm -r /data/data/com.google.android.hardwareinfo/
2. Connect wifi and reboot
3. Check the HardwareInfoService status.
4. There is no AVC denied log.

Change-Id: I4d1c83a1c5b0f2f3bdd64ab79ab45fb69470b25b
 2021-03-11 08:38:43 +00:00
yihsiangpeng
cc8429cc0d Move wireless charger HAL to 1.3 
Bug: 179464598
Signed-off-by: yihsiangpeng <yihsiangpeng@google.com>
Change-Id: I73d1d811f2483bbe80e7d4aea1f6e9f143bc2836
 2021-03-11 14:47:49 +08:00
TreeHugger Robot
db0ca5a3b2 Merge changes I6f6e8359,Ib7bf4029 into sc-dev 
* changes:
  label kernel modules and grant bt permission
  update error on ROM 7196668
 2021-03-11 03:53:57 +00:00
TreeHugger Robot
d2cee097f8 Merge "Fix avc denied in OMA DM" into sc-dev 2021-03-10 15:52:45 +00:00
Tai Kuo
8cac55487b gs101-sepolicy: Add twoshay permissions 
Add twoshay and touch input context library permissions

Bug: 173330899
Bug: 173330981
Test: check boot-time twoshay startup and no denials.
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
Change-Id: I68aace66f49c2af1ebfd4bde7082039f9caf3f64
Signed-off-by: Tai Kuo <taikuo@google.com>
 2021-03-10 22:23:49 +08:00
SalmaxChang
6247ff69b2 cbd: Fix avc errors 
avc: denied { setuid } for comm="cbd" capability=7 scontext=u:r:cbd:s0 tcontext=u:r:cbd:s0 tclass=capability permissive=1
avc: denied { search } for comm="cbd" name="vendor" dev="tmpfs" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1

Bug: 178331928
Bug: 171267363
Change-Id: Icf28f494f05ee386ce94213929926369f2775173
 2021-03-10 13:33:43 +00:00
Tai Kuo
4dd3e1e99e Add touch procfs and sysfs sepolicy 
Touch palm sepolicies are not included.

Bug: 173330981
Test: No avc denied log for touch sysfs, procfs access.
Signed-off-by: Tai Kuo <taikuo@google.com>
Change-Id: Idf510e4a9c65e5af0885159353ef85d6b6ec553f
 2021-03-10 17:00:16 +08:00
Calvin Pan
47bf48c03b Fix avc denied in OMA DM 
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:493): avc: denied { search } for comm="IntentService[D" name="radio" dev="dm-6" ino=242 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:493): avc: denied { search } for name="radio" dev="dm-6" ino=242 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:494): avc: denied { getattr } for comm="IntentService[D" path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:494): avc: denied { getattr } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:495): avc: denied { setattr } for comm="IntentService[D" name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:495): avc: denied { setattr } for name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:496): avc: denied { append } for comm="IntentService[D" name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:496): avc: denied { append } for name="omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I auditd  : type=1400 audit(0.0:497): avc: denied { open } for comm="IntentService[D" path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service
03-10 11:30:05.640 30617 30617 I IntentService[D: type=1400 audit(0.0:497): avc: denied { open } for path="/data/vendor/radio/omadm_logs.txt" dev="dm-6" ino=17137 scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_vendor_data_file:s0:c512,c768 tclass=file permissive=1 app=com.android.omadm.service

03-10 11:57:07.155   386   386 E SELinux : avc:  denied  { find } for pid=8406 uid=10141 name=autofill scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
03-10 11:57:07.155   386   386 I auditd  : avc:  denied  { find } for pid=8406 uid=10141 name=autofill scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1

03-10 12:26:05.904   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=activity scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.904   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=activity scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.931   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=activity_task scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.931   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=activity_task scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=SurfaceFlinger scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=SurfaceFlinger scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=gpu scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
03-10 12:26:05.960   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=gpu scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
03-10 12:26:06.041   388   388 E SELinux : avc:  denied  { find } for pid=12124 uid=10141 name=audio scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
03-10 12:26:06.041   388   388 I auditd  : avc:  denied  { find } for pid=12124 uid=10141 name=audio scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1

03-10 12:35:40.653   387   387 E SELinux : avc:  denied  { find } for pid=8328 uid=10141 name=tethering scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.654   387   387 I auditd  : avc:  denied  { find } for pid=8328 uid=10141 name=tethering scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.658   387   387 E SELinux : avc:  denied  { find } for pid=8328 uid=10141 name=isub scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1
03-10 12:35:40.658   387   387 I auditd  : avc:  denied  { find } for pid=8328 uid=10141 name=isub scontext=u:r:omadm_app:s0:c141,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=1

Bug: 173990082
Test: Trigger OMA DM
Change-Id: Ie66ecd1c9d80f7b12a4545f3651dd2c5f02b119b
 2021-03-10 15:54:08 +08:00
Jack Wu
522a8aefcf hal_health_default: Fix avc denials 
[    5.146740] type=1400 audit(1611123521.796:23): avc: denied { search } for comm="android.hardwar" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[    5.425436] type=1400 audit(1611123522.076:24): avc: denied { search } for comm="health@2.1-serv" name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1
[   29.943710] type=1400 audit(1611123546.592:483): avc: denied { write } for comm="health@2.1-serv" name="mode" dev="sysfs" ino=14741 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
01-20 14:18:41.796   656   656 I android.hardwar: type=1400 audit(0.0:23): avc: denied { search } for name="4-003c" dev="sysfs" ino=56632 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:sysfs_wlc:s0 tclass=dir permissive=1

Bug: 177966434
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: I576547e27dceb55fd768de2834e3bb0155857f56
 2021-03-10 14:13:38 +08:00
Adam Shih
58b3344c7a label kernel modules and grant bt permission 
Bug: 182320300
Bug: 182320258
Test: boot to home and connect to bluetooth headset under enforcing mode
Change-Id: I6f6e8359d03eb4205268d56a1fcd50ce1445f442
 2021-03-10 10:36:45 +08:00
TreeHugger Robot
c625222492 Merge "hal_power_stats_default: Fix avc denials" into sc-dev 2021-03-10 02:11:04 +00:00
TreeHugger Robot
c8e903d1c8 Merge "dumpstate: allow dumpstate to access displaycolor" into sc-dev 2021-03-10 01:15:42 +00:00
Yu-Chi Cheng
02ecfdcc0d Merge "Allowed the EdgeTPU service to access Package Manager binder service." into sc-dev 2021-03-09 15:00:12 +00:00
Jack Wu
a3678d9487 hal_power_stats_default: Fix avc denials 
[  351.298850] type=1400 audit(1614041245.976:13): avc: denied { read } for comm="android.hardwar" name="hf1_wfi" dev="sysfs" ino=78155 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
[  698.658433] type=1400 audit(1614041593.336:1733): avc: denied { open } for comm="stats@1.0-servi" path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:53:13.336   673   673 I stats@1.0-servi: type=1400 audit(0.0:1734): avc: denied { getattr } for path="/sys/devices/platform/19000000.aoc/control/monitor_mode" dev="sysfs" ino=78158 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
02-23 08:52:26.228   670   670 I android.hardwar: type=1400 audit(0.0:724): avc: denied { search } for name="19000000.aoc" dev="sysfs" ino=18343 scontext=u:r:hal_power_stats_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=1

Bug: 180963514
Test: Verify pass by checking device log are w/o above errors after
Signed-off-by: Jack Wu <wjack@google.com>
Change-Id: Iab245b320c1f6e75407f1fafb5ad20a087b1a707
 2021-03-09 14:21:20 +00:00
raylinhsu
43fb32d300 dumpstate: allow dumpstate to access displaycolor 
In bugreport, we need to dump libdisplaycolor information.
Hence, we should add corresponding sepolicy.

Bug: 181915591
Test: There is no avc denied regarding to displaycolor when we
capture the bugreport.

Change-Id: I9f7f8f451fab24b4d0c49305d96b8db6b4d0eed4
 2021-03-09 19:06:24 +08:00
Charlie Chen
e265637395 Merge changes I8de6132f,I2bc6057d into sc-dev 
* changes:
  Remove dma_buf_heap tracking_denials
  Add missing permission to dmabuf_video_system_heap
 2021-03-09 04:58:08 +00:00
Taehwan Kim
7d77820127 Add missing permission to dmabuf_video_system_heap 
Bug: 153786620
Bug: 182086551
Bug: 182086552
Bug: 182086686
Bug: 182086482
Bug: 182086481
Bug: 182086550
Test: atest VtsHalMediaC2V1_0TargetVideoDecTest
Signed-off-by: Taehwan Kim <t_h.kim@samsung.com>
Change-Id: I2bc6057d16bbcc32ef8891f89c0440618d174982
 2021-03-09 02:19:06 +00:00
TreeHugger Robot
9c51e64c6e Merge "sepolicy: add sensor related rules for AIDL APIs" into sc-dev 2021-03-09 02:03:39 +00:00
TreeHugger Robot
9185f0aafd Merge "Fix selinux error for vendor_telephony_app" into sc-dev 2021-03-09 01:01:45 +00:00
TreeHugger Robot
c5c7a85a0d Merge "trusty_apploader: Fix avc errors" into sc-dev 2021-03-09 00:55:06 +00:00
Yu-Chi Cheng
d18a92b0ef Allowed the EdgeTPU service to access Package Manager binder service. 
EdgeTPU service will connect to the Package Manager service
to verify applicatoin signatures.
This change added the corresponding SELinux rules to allow such
connection.

Bug: 181821398
Test: Verified using Google Camera App on local device.
Change-Id: Ia32b3de102c162e28710e0aa917831e8de784183
 2021-03-08 16:02:14 -08:00
Isaac Chiou
73ce34397a Wifi: Add sepolicy files for wifi_ext service 
This commit adds the sepolicy related files for wifi_ext service.

Bug: 171944352
Bug: 177966433
Bug: 177673356
Test: Manual
Change-Id: I1613e396fd4c904ed563dfd533fb4b8f807f9657
 2021-03-08 19:36:29 +08:00
matthuang
94095e1fd3 sepolicy: add sensor related rules for AIDL APIs 
SELinux : avc:  denied  { find } for pid=703 uid=1000name=android.frameworks.stats.IStats/default
scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1
android.hardwar: type=1400 audit(0.0:24): avc: denied { transfer } for scontext=u:r:hal_sensors_default:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

Bug: 182086688
Test: make selinux_policy -j128 and push to device.
Test: avc denials are disappeared in boot log.
Change-Id: I13e658c1cef3bd24ae25cc1c22dd9336b4e45b0f
 2021-03-08 09:00:36 +00:00